* Wed Jul 17 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-24
- Label user cron spool file with user_cron_spool_t - Update gnome_role_template() template to allow sysadm_t confined user to login to xsession - Allow lograte_t domain to manage collect_rw_content files and dirs - Add interface collectd_manage_rw_content() - Allow systemd_hostnamed_t domain to dbus chat with sosreport_t domain - Update tomcat_can_network_connect_db boolean to allow tomcat domains also connect to redis ports - Allow mysqld_t domain to manage cluster pid files - Relabel /usr/sbin/virtlockd from virt_exec_t to virtlogd_exec_t. - Allow ptp4l_t domain to write to pmc socket which is created by pmc command line tool - Allow dkim-milter to send e-mails BZ(1716937) - Update spamassasin policy to make working /usr/share/spamassassin/sa-update.cron script BZ(1711799) - Update svnserve_t policy to make working svnserve hooks - Allow varnishlog_t domain to check for presence of varnishd_t domains - Update sandboxX policy to make working firefox inside SELinux sandbox - Remove allow rule from svirt_transition_svirt_sandbox interface to don't allow containers to connect to random services - Allow httpd_t domain to read /var/lib/softhsm/tokens to allow httpd daemon to use pkcs#11 devices - Allow gssd_t domain to list tmpfs_t dirs - Allow mdadm_t domain to read tmpfs_t files - Allow sbd_t domain to check presence of processes labeled as cluster_t - Dontaudit httpd_sys_script_t to read systemd unit files - Allow blkmapd_t domain to read nvme devices - Update cpucontrol_t domain to make working microcode service - Allow domain transition from logwatch_t do postfix_postqueue_t - Allow chronyc_t domain to create and write to non_security files in case when sysadmin is redirecting output to file e.g: 'chronyc -n tracking > /var/lib/test' - Allow httpd_sys_script_t domain to mmap httpcontent - Allow sbd_t to manage cgroups_t files - Update wireshark policy to make working tshar labeled as wireshark_t - Update virt_use_nfs boolean to allow svirt_t domain to mmap nfs_t files - Allow sysadm_t domain to create netlink selinux sockets - Make cgdcbxd active in Fedora upstream sources - Allow sysadm_t domain to dbus chat with rtkit daemon - Allow x_userdomains to nnp domain transition to thumb_t domain - Allow unconfined_domain_type to setattr own process lnk files. - Add interface files_write_generic_pid_sockets() - Dontaudit writing to user home dirs by gnome-keyring-daemon - Allow staff and admin domains to setpcap in user namespace - Allow staff and sysadm to use lockdev - Allow staff and sysadm users to run iotop. - Dontaudit traceroute_t domain require sys_admin capability - Dontaudit dbus chat between kernel_t and init_t - Allow systemd labeled as init_t to create mountpoints without any specific label as default_t
This commit is contained in:
parent
9a1d06b5aa
commit
9fad02a45b
2
.gitignore
vendored
2
.gitignore
vendored
@ -385,3 +385,5 @@ serefpolicy*
|
|||||||
/selinux-policy-905153e.tar.gz
|
/selinux-policy-905153e.tar.gz
|
||||||
/selinux-policy-contrib-9e9bb01.tar.gz
|
/selinux-policy-contrib-9e9bb01.tar.gz
|
||||||
/selinux-policy-f1ee18a.tar.gz
|
/selinux-policy-f1ee18a.tar.gz
|
||||||
|
/selinux-policy-contrib-2e0b14e.tar.gz
|
||||||
|
/selinux-policy-8935967.tar.gz
|
||||||
|
@ -1,11 +1,11 @@
|
|||||||
# github repo with selinux-policy base sources
|
# github repo with selinux-policy base sources
|
||||||
%global git0 https://github.com/fedora-selinux/selinux-policy
|
%global git0 https://github.com/fedora-selinux/selinux-policy
|
||||||
%global commit0 f1ee18a0881e4e4e31c5431079b8ad607fbf20bb
|
%global commit0 89359670764aa34dd1e03fae712cfd08dc00b3fd
|
||||||
%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
|
%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
|
||||||
|
|
||||||
# github repo with selinux-policy contrib sources
|
# github repo with selinux-policy contrib sources
|
||||||
%global git1 https://github.com/fedora-selinux/selinux-policy-contrib
|
%global git1 https://github.com/fedora-selinux/selinux-policy-contrib
|
||||||
%global commit1 9e9bb01a0b4a6e716368c4c73639363daae12fe7
|
%global commit1 2e0b14ec0adfc0c5b0865d3ec09a30a9cfe996c6
|
||||||
%global shortcommit1 %(c=%{commit1}; echo ${c:0:7})
|
%global shortcommit1 %(c=%{commit1}; echo ${c:0:7})
|
||||||
|
|
||||||
%define distro redhat
|
%define distro redhat
|
||||||
@ -29,7 +29,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.14.4
|
Version: 3.14.4
|
||||||
Release: 23%{?dist}
|
Release: 24%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
|
Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
|
||||||
Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz
|
Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz
|
||||||
@ -787,6 +787,49 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Jul 17 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-24
|
||||||
|
- Label user cron spool file with user_cron_spool_t
|
||||||
|
- Update gnome_role_template() template to allow sysadm_t confined user to login to xsession
|
||||||
|
- Allow lograte_t domain to manage collect_rw_content files and dirs
|
||||||
|
- Add interface collectd_manage_rw_content()
|
||||||
|
- Allow systemd_hostnamed_t domain to dbus chat with sosreport_t domain
|
||||||
|
- Update tomcat_can_network_connect_db boolean to allow tomcat domains also connect to redis ports
|
||||||
|
- Allow mysqld_t domain to manage cluster pid files
|
||||||
|
- Relabel /usr/sbin/virtlockd from virt_exec_t to virtlogd_exec_t.
|
||||||
|
- Allow ptp4l_t domain to write to pmc socket which is created by pmc command line tool
|
||||||
|
- Allow dkim-milter to send e-mails BZ(1716937)
|
||||||
|
- Update spamassasin policy to make working /usr/share/spamassassin/sa-update.cron script BZ(1711799)
|
||||||
|
- Update svnserve_t policy to make working svnserve hooks
|
||||||
|
- Allow varnishlog_t domain to check for presence of varnishd_t domains
|
||||||
|
- Update sandboxX policy to make working firefox inside SELinux sandbox
|
||||||
|
- Remove allow rule from svirt_transition_svirt_sandbox interface to don't allow containers to connect to random services
|
||||||
|
- Allow httpd_t domain to read /var/lib/softhsm/tokens to allow httpd daemon to use pkcs#11 devices
|
||||||
|
- Allow gssd_t domain to list tmpfs_t dirs
|
||||||
|
- Allow mdadm_t domain to read tmpfs_t files
|
||||||
|
- Allow sbd_t domain to check presence of processes labeled as cluster_t
|
||||||
|
- Dontaudit httpd_sys_script_t to read systemd unit files
|
||||||
|
- Allow blkmapd_t domain to read nvme devices
|
||||||
|
- Update cpucontrol_t domain to make working microcode service
|
||||||
|
- Allow domain transition from logwatch_t do postfix_postqueue_t
|
||||||
|
- Allow chronyc_t domain to create and write to non_security files in case when sysadmin is redirecting output to file e.g: 'chronyc -n tracking > /var/lib/test'
|
||||||
|
- Allow httpd_sys_script_t domain to mmap httpcontent
|
||||||
|
- Allow sbd_t to manage cgroups_t files
|
||||||
|
- Update wireshark policy to make working tshar labeled as wireshark_t
|
||||||
|
- Update virt_use_nfs boolean to allow svirt_t domain to mmap nfs_t files
|
||||||
|
- Allow sysadm_t domain to create netlink selinux sockets
|
||||||
|
- Make cgdcbxd active in Fedora upstream sources
|
||||||
|
- Allow sysadm_t domain to dbus chat with rtkit daemon
|
||||||
|
- Allow x_userdomains to nnp domain transition to thumb_t domain
|
||||||
|
- Allow unconfined_domain_type to setattr own process lnk files.
|
||||||
|
- Add interface files_write_generic_pid_sockets()
|
||||||
|
- Dontaudit writing to user home dirs by gnome-keyring-daemon
|
||||||
|
- Allow staff and admin domains to setpcap in user namespace
|
||||||
|
- Allow staff and sysadm to use lockdev
|
||||||
|
- Allow staff and sysadm users to run iotop.
|
||||||
|
- Dontaudit traceroute_t domain require sys_admin capability
|
||||||
|
- Dontaudit dbus chat between kernel_t and init_t
|
||||||
|
- Allow systemd labeled as init_t to create mountpoints without any specific label as default_t
|
||||||
|
|
||||||
* Wed Jul 10 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-23
|
* Wed Jul 10 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.14.4-23
|
||||||
- Update dbusd policy and netowrkmanager to allow confined users to connect to vpn over NetworkManager
|
- Update dbusd policy and netowrkmanager to allow confined users to connect to vpn over NetworkManager
|
||||||
- Fix all interfaces which cannot by compiled because of typos
|
- Fix all interfaces which cannot by compiled because of typos
|
||||||
|
8
sources
8
sources
@ -1,4 +1,4 @@
|
|||||||
SHA512 (selinux-policy-contrib-9e9bb01.tar.gz) = 455867d510d56daca40bc152f3c62ab73d4715331841785862386ec009ebeea1a736f791e1171fbfa8d82a4acc7ea0b5801200266f2a5b098d1c8d036fb8159f
|
SHA512 (selinux-policy-contrib-2e0b14e.tar.gz) = 9a36911c82c26a80bc742dccae340aa8e31dbd6e0bef9bc6ac0366ea4c6ac8779ebd537a7a8c6e4e3764e33a536c6103ffa74b60d7d013adf31ecee393b959ea
|
||||||
SHA512 (selinux-policy-f1ee18a.tar.gz) = dbaf7d5f30ba8823ff24e7d4dc0b20c3551b150dea1eb64bca37d1ff836916f1bad87eba18feba5a98c99b93943828734e29ff0432c343a669b6e9dd2b8945dc
|
SHA512 (selinux-policy-8935967.tar.gz) = da08e88ff01eb236bea8ea90286c53900396559af4f9ba439166f3f6800e6b4d61480b1d54c358ae9f149e5eefbac00683a5f0c96386ec2aa61afc8cf447e5d5
|
||||||
SHA512 (container-selinux.tgz) = 7528e71d2143f327362c27d1ac8c48bb4e627a7a7e5483bbf7ad73d92fbdb65f19cb33b057ca51b71fd542cf27c31b0e0a9eb8ac714bb002db1ced1c8144149d
|
SHA512 (container-selinux.tgz) = 59ec026e8c06f2b8cd01fdfedd47249d97f828f23c6532e4ff7b80becfd5ed00a69f706f26e80e736c477b9d7460f8ad6c4f9bbb74b8c78c5c2b1ee067f70747
|
||||||
SHA512 (macro-expander) = b4f26e7ed6c32b3d7b3f1244e549a0e68cb387ab5276c4f4e832a9a6b74b08bea2234e8064549d47d1b272dbd22ef0f7c6b94cd307cc31ab872f9b68206021b2
|
SHA512 (macro-expander) = 243ee49f1185b78ac47e56ca9a3f3592f8975fab1a2401c0fcc7f88217be614fe31805bacec602b728e7fcfc21dcc17d90e9a54ce87f3a0c97624d9ad885aea4
|
||||||
|
Loading…
Reference in New Issue
Block a user